SCIENTIFIC-LINUX-ERRATA Archives

June 2015

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV

Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
From:
Pat Riehecky <[log in to unmask]>
Reply To:
Date:
Mon, 15 Jun 2015 19:51:57 +0000
Content-Type:
text/plain
Parts/Attachments:
text/plain (79 lines)
Synopsis:          moderate: Moderate: Openssl Security Update security update
Advisory ID:       SLSA-2015:1115-1
Issue Date:        2015-06-15
CVE Numbers:       CVE-2014-8176
                   CVE-2015-1789
                   CVE-2015-1790
                   CVE-2015-1791
                   CVE-2015-1792
                   CVE-2015-3216
--

An invalid free flaw was found in the way OpenSSL handled certain DTLS
handshake messages. A malicious DTLS client or server could cause a DTLS
server or client using OpenSSL to crash or, potentially, execute arbitrary
code. (CVE-2014-8176)

A flaw was found in the way the OpenSSL packages shipped with Scientific
Linux 6 and 7 performed locking in the ssleay_rand_bytes() function. This
issue could possibly cause a multi-threaded application using OpenSSL to
perform an out-of-bounds read and crash. (CVE-2015-3216)

An out-of-bounds read flaw was found in the X509_cmp_time() function of
OpenSSL. A specially crafted X.509 certificate or a Certificate Revocation
List (CRL) could possibly cause a TLS/SSL server or client using OpenSSL
to crash. (CVE-2015-1789)

A race condition was found in the session handling code of OpenSSL. This
issue could possibly cause a multi-threaded TLS/SSL client using OpenSSL
to double free session ticket data and crash. (CVE-2015-1791)

A flaw was found in the way OpenSSL handled Cryptographic Message Syntax
(CMS) messages. A CMS message with an unknown hash function identifier
could cause an application using OpenSSL to enter an infinite loop.
(CVE-2015-1792)

A NULL pointer dereference was found in the way OpenSSL handled certain
PKCS#7 inputs. A specially crafted PKCS#7 input with missing
EncryptedContent data could cause an application using OpenSSL to crash.
(CVE-2015-1790)

For the update to take effect, all services linked to the OpenSSL library
must be restarted, or the system rebooted.
--

SL6
  x86_64
    openssl-debuginfo-1.0.1e-30.el6_6.11.x86_64.rpm
    openssl-devel-1.0.1e-30.el6_6.11.x86_64.rpm
    openssl-1.0.1e-30.el6_6.11.i686.rpm
    openssl-1.0.1e-30.el6_6.11.x86_64.rpm
    openssl-debuginfo-1.0.1e-30.el6_6.11.i686.rpm
    openssl-static-1.0.1e-30.el6_6.11.x86_64.rpm
    openssl-perl-1.0.1e-30.el6_6.11.x86_64.rpm
    openssl-devel-1.0.1e-30.el6_6.11.i686.rpm
  i386
    openssl-static-1.0.1e-30.el6_6.11.i686.rpm
    openssl-1.0.1e-30.el6_6.11.i686.rpm
    openssl-devel-1.0.1e-30.el6_6.11.i686.rpm
    openssl-perl-1.0.1e-30.el6_6.11.i686.rpm
    openssl-debuginfo-1.0.1e-30.el6_6.11.i686.rpm
  srpm
    openssl-1.0.1e-30.el6_6.11.src.rpm
SL7
  x86_64
    openssl-static-1.0.1e-42.el7_1.8.i686.rpm
    openssl-libs-1.0.1e-42.el7_1.8.i686.rpm
    openssl-libs-1.0.1e-42.el7_1.8.x86_64.rpm
    openssl-static-1.0.1e-42.el7_1.8.x86_64.rpm
    openssl-perl-1.0.1e-42.el7_1.8.x86_64.rpm
    openssl-1.0.1e-42.el7_1.8.x86_64.rpm
    openssl-devel-1.0.1e-42.el7_1.8.x86_64.rpm
    openssl-debuginfo-1.0.1e-42.el7_1.8.x86_64.rpm
    openssl-devel-1.0.1e-42.el7_1.8.i686.rpm
    openssl-debuginfo-1.0.1e-42.el7_1.8.i686.rpm
  srpm
    openssl-1.0.1e-42.el7_1.8.src.rpm

- Scientific Linux Development Team

ATOM RSS1 RSS2